Overview

Reconnaissance (recon for short) is a key stage within the Advanced Attackers kill chain. Once attackers have breached a single end-point, they need to discover their next targets within the victim's corporate network, most notably privileged users.

Once attackers had “zoomed in” on target users, they need to find out the computers they had logon to, in order to propagate to them and compromise their credentials. Applying the SMB Session enumeration via the NetSessionEnum method against
the DC (or other file servers), allows the attackers to get that information. Recently, some frameworks (e.g.
BloodHound) have automated that mapping process.

By default, NetSessionEnum method can be executed by any authenticated user, including network connected users, which effectively means that any domain user is able to execute it remotely.

Since the only current method to modify the default permissions for NetSessionEnum is by manually editing hex registry entry, we wrote the “NetCease” tool, a short PowerShell (PS) script which alters these default permissions. This hardening
process should block attackers from easily getting valuable recon information.

Net Session Enumeration

Net Session Enumeration is a method used to retrieve information about established sessions on a server. Any domain user can query a server for its established sessions and get the following information:

The name/IP address of the computer.

The name of the user who established the session.

The number of seconds the session has been active. (since the query)

The number of seconds the session has been idle. (since the query)

Since all domain users/computers are updating their Group Policy approximately every 90 minutes, they establish a session to the DC and query for an update. Those sessions are visible to all domain users using the NetSessionEnum on that DC.

Several widely-available tools implement such query, including the
NetSess tool

Figure 1: NetSess tool result example.

MicrosoftATA detects the use of such query and alerts the security administrator about it Figure 2: MicrosoftATA alert on NetSessionEnum use

NetSessionEnum permissions

NetSessionEnum method permissions are controlled by a registry key under the following path:

By default, this binary SrvsvcSessionInfo value is a Discretionary Access Control List (DACL) containing 4 Access Control Entries (ACE) which allows access to any user with at least one of the following characteristics:

Member of Administrators group (Security Identifier (Sid) S-1-5-32-544)

Member of Server Operators group (Sid S-1-5-32-549)

Member of Power Users group (Sid S-1-5-32-547)

Last but not least Authenticated Users group (Sid S-1-5-11)

By performing a successful network authentication against a domain joined machine, the users (or attackers) obtain the permission to execute NetSessionEnum on that machine, as they got the “Authenticated Users” Sid added to their authentication
context.

Net Cease details

The NetCease script hardens the access to the NetSessionEnum method by removing the execute permission for Authenticated Users group and adding permissions for interactive, service and batch logon sessions.
This will allow any administrator, system operator and power user to remotely call this method, and any interactive/service/batch logon session to call it locally.

Calling NetSess on a hardened machine from remote, using an administrator account: